Simple passwords aren't good enough any more, as the flood of stories about phishing, fraud, and compromised accounts by the millions demonstrate. The Next Big Thing in computer security is two-factor authentication and, like it or not, you're probably going to be dealing with it in the next year or so. But two-factor authentication is a concept, not a product, and how it's implemented is critical to its success.

Like this article? We recommend

The Need for Better Security

Simple passwords, the backbone of modern computer security, are notoriously
insecure. One result is that something like 10 million Americans have been
victims of identity theft to the tune of about $50 billion, according to the
U.S. Federal Trade Commission.

Obviously, we need something better than passwords, and the consensus is that
the "something better" is a concept called two-factor
authentication.

This is neither academic nor theoretical. Two-factor authentication is
bearing down on us with the speed—and all the fine control—of a
runaway freight train. Last December, the Federal Deposit Insurance Corporation
(FDIC) issued a report recommending that financial institutions move to
two-factor authentication in place of passwords. Many banks, such as Bank of
America, are running pilot projects to evaluate two-factor authentication for
the customers in online banking. Some institutions have already made the jump.
For example, E*Trade Financial, a leading online brokerage, is already offering
customers a two-factor authentication system.

This isn't just banks and brokerages. We can expect to see passwords
rapidly replaced by two-factor systems in any application for which security is
important. At this year's CeBIT trade show in Europe, Microsoft announced
that it plans to go to two-factor authentication in future versions of its
operating systems.

Some vendors are already using the technique.
Nexsan Technologies
has just released a secure storage system that uses two-factor authentication to
ensure the integrity of key recovery. Nexsan's Assureon product uses an
elaborate encryption system that encrypts each file separately and then encrypts
a manifest file containing the keys to the files. To recover the files in the
event of a failure, the administrator needs a hardware key. Nexsan issues
several copies of the key device with each Assureon system, and the customers
keep them in safe deposit boxes or other secure locations until needed.

In fact, any application that uses passwords today is a strong candidate for
two-factor authentication in the next few years. This implies that any
enterprise that develops applications will have to choose a two-factor
authentication system to use with its products. It also suggests that all
Windows administrators are going to be expected to evaluate two-factor
authentication schemes as part of nearly any product selection.

And evaluating two-factor authentication—whether as part of evaluating
an application for your enterprise's use or choosing a system to
incorporate in your own applications—isn't simple. Two-factor
authentication isn't a product; it isn't even a technology. It's
a concept, and there are many, many ways of implementing it. Not all of those
ways are equally useful or equally secure and not all the products that use them
are equally well-designed. What's more, there are major tradeoffs among
security, cost, and performance. The systems that provide the highest levels of
security are also the most costly and usually extract the largest performance
penalties.